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Abstract. A standard method for computing a rational number from 
its values modulo a collection of primes is to determine its value mod- 
ulo the product of the primes via Chinese Remaindering, and then use 
Farey sequences for rational reconstruction. Successively enlarging the 
set of primes if needed, this method is guaranteed to work if we restrict 
ourselves to "good" primes. Depending on the particular application, 
however, there is often no efficient way of finding good primes. This note 
shows that in most situations, we can simply ignore this problem. In 
fact, we present an error tolerant algorithm for rational reconstruction. 
With regard to applications, we are particularly interested in the design 
of modular and, thus, parallel versions of algorithms in commutative al- 
gebra and algebraic geometry. Here, typically, the final result consists of 
one or several a priori unknown ideals which are found via constructions 
yielding the (reduced) Grobner bases of the ideals. 



1. Introduction 

Rational reconstruction is a standard way of obtaining results in charac- 
teristic zero from results in characteristic p > 0. This is of particular use in 
the design of parallel algorithms and in situations where the growth of inter- 
mediate results matters. Classical applications are the computation of poly- 
nomial greatest common divisors (see Wang 1981[ lEncarnacion 1995] ) and 



Grobner bases (see [Arnold 2003} lldrees et~al . 201 lj). Here, the Grobner 
bases algorithms start from an ideal already given. In contrast, more recent 
applications in commutative algebra and algebraic geometry (see, for exam- 
ple, [Bohm et al. 201~TllBohm et al. 2012] ) require that we find an unknown 
ideal via a construction which computes the ideal by computing its (reduced) 
Grobner basis. Here, for the purpose of modularization, we suppose that the 
construction applies to some given input data in characteristic zero as well 
as to "most" modular values of the input data. In such a situation, prob- 
lems may arise in cases where the desired Grobner basis in characteristic 
zero does not necessarily reduce to the Grobner basis obtained in charac- 
teristic p. Usually, a first step to resolve these problems is to show that the 
"bad" primes p are "rare". Note, however, that the actual test of whether a 
given prime is bad (and should, hence, be discarded) may not be effective or 
may require expensive computations of invariants. Hence, a reconstruction 
algorithm which will return the correct result even in the presence of bad 
primes will be of great use. In this note, we describe such an algorithm. 
The algorithm will work whenever there are only finitely many bad primes. 
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To begin, in Section [21 we recall the classical approach to rational re- 
construction which is based on the lifting of modular to rational results by 
computing Farey preimages via Euclidean division with remainder. In Sec- 
tion [3l to illustrate the need for error tolerant rational reconstruction, we 
discuss a general setup for applications in commutative algebra and alge- 
braic geometry. Finally, in Section 21 we present the new lifting algorithm 
based on Gaussian reduction and discuss the resulting error tolerant recon- 
struction algorithm. 

2. Reconstruction of a single rational number 

We describe the reconstruction of a single unknown number x G Q. In 
typical applications, this number will occur as a coefficient of some unknown 
vector or polynomial or element of a Grobner basis. Also, frequently in this 
context, once the rational number (vector, polynomial, Grobner basis) has 
been found, it is comparably easy to verify the correctness of the result. 

We use the following notation: Given an integer N > 2 and a number 
x = a/b G Q with gcd(a, b) = 1 and gcd(6, N) = 1, the value of x modulo N 
is 

x n :=(t) ■= (a + NZ)(b + NZ)- 1 G Z/NZ. 
VP/ N 

We also write x = r mod N if r G Z represents xn- 

In what follows, we suppose that in the context of some application, we 
are given an algorithm which computes the value of the unknown number 
x G Q modulo any prime p, possibly rejecting the prime. For reference 
purposes, we formulate this in the black box type Algorithm [1] 



Algorithm 1 Black Box Algorithm x mod p 
Input: A prime number p. 

Output: false or an integer < s < p — 1 such that x = s mod p. 
Assumption: There are only finitely many primes p where the return value 

is false. 



Once the values of x modulo the primes in a sufficiently large set of primes 
V have been computed, we may find x via a lifting procedure consisting of 
two steps: First, use Chinese remaindering to obtain the value of x modulo 
the product N := Jlpg-pP- Second, compute the preimage of this value 
under the Farey rational map which is defined as follows. 

For an integer B > 0, set 

F B = |^ g Q | gcd(a,6) = 1, < a < B, < |6| < s} , 

and for m G Z/NZ, let 

Qjv,m = {|eQ|gcd(o,6) = l, gcd(6,A0 = l, (l) N = m } 

be the set of rational numbers whose value modulo iV is m. Then Qjv = 
\J m ZoQ.N,m is a subring of Q with identity. If B is an integer with B < 
yj (N — l)/2, then the Farey map 

<pb,n ■ f b n Q N -> Z/NZ, , 

b \bs n 
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is well-defined and injective (but typically not surjective). To obtain the 
injective map with the largest possible image for a given N, we tacitly 
suppose in what follows that B is chosen as large as possible for N. 

Algorithm [2] below will return tp~^ N (r) if r is in the image of the Farey 
map, and false otherwise (see, for example, |Kornerup and Gregory 1983 
Wang 198 lj| Wang et al. 1982] ). 



Algorithm 2 Farey Preimage 



Input: Integers N > 2 and < r < N — 1. 

Output: false or a rational number a/b with gcd(a, b) = 1, gcd(6, N) = 1, 
a/b = r mod N, < a < yJ(N-\)/2, < \b\ < y/(N - l)/2. 
1: (ao, b ) := (N, 0), (oi, h) := (r, 1), i := -1 
2: while 2af +2 > iV - 1 do 
3: i := i + 1 

4: divide aj by a^+i to find qi,ai + 2,h + 2 such that 

(aj, 6j) = qi(a i+ i, bi+i) + (a i+2 , b i+2 ) 

and < aj + 2 < ai + \ 
5: if 26? +2 < iV — 1 and gcd(aj + 2> = 1 then 
6: return a i+2 /6j +2 
7: return false 



Remark 2.1. As pointed out in [Coll ins et al. 1994] . dropping the require- 
ment gcd(ai+2, bi+2) = 1 may lead to an invalid result: For = 12 and 
r = 5, the algorithm would return 2/ — 2, but —2 and 12 are not coprime. 
Note, however, that 2 = (—2) • 5 mod 12 and, thus, 1 = (—1) • 5 mod 6. 

Summing up, we get the classical reconstruction Algorithm [3j 



Algorithm 3 Reconstruction of a Rational Number 

Input: Algorithm [1] and a way to verify that a computed number equals x. 
Output: x 

1: N := 1, r := 

2: p := 2 

3: loop 

4: let s be the return value of Algorithm [T] applied to p 

5: if s = false then 

6: continue with step [TBI 

7: find 1 = eN + fp and set r := rfp + seN, N := Np 

8: let y be the return value of Algorithm [2] applied to and r 

9: if y = false then 

10: continue with step [TBI 

11: if y = x then 

12: return y 

13: p :=NextPrime(p) 



We remind the reader that our setup in this section is somewhat special 
in that we suppose that our Black Box Algorithm [JJ either returns false or 
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a correct answer. For most applications, however, there exist primes p which 
are bad in the sense that the algorithm under consideration returns a wrong 
answer modulo p. This can, for example, happen in linear algebra: Suppose, 
we are given a matrix M € Z nxn with dimker M = 1. For each prime p, let 
M p be the reduction of M modulo p. Then, in order to compute (a basis 
vector of) kerM, we may compute kerM p for suitable primes p, and then 
apply the strategy outlined above to the coefficients of the basis vectors. 
As long as always dimkerM p = 1, the lifting will work if the computed 
kernel vectors are conveniently normalized to make them unique. On the 
other hand, if we encounter a bad prime for M, that is, a prime p with 
dim kerMp > 1, we typically find a random kernel vector modulo p. This is 
not a problem since primes which are bad for M can be easily detected by 
checking the rank of M p . For the applications we have in mind, however, 
detecting bad primes may not be feasible. In this note, we show that if there 
are only finitely many bad primes, they can just be ignored. More precisely, 
we show that in Algorithm [3l we may call the black box type Algorithm 2] 
below instead of Algorithm [H provided we call the lifting Algorithm [6] from 
Section H] instead of Algorithm [2j 



Algorithm 4 Black Box Algorithm x mod p 

Input: A prime number p. 

Output: false or an integer < s < p — 1. 

Assumption: There are only finitely many primes p where either the return 
value is false ors^s mod p. 



3. A SETUP FOR APPLICATIONS IN ALGEBRA AND GEOMETRY 

As a motivation for the error tolerant version of rational reconstruction 
presented in the next section, we use this section to discuss a general com- 
putational setup for applications in commutative algebra and algebraic ge- 
ometry which requires error tolerance. A setup of this type occurs, for 
example, when computing normalization or when computing adjoint curves. 
See [Bohm et al. 20111 iBohm et al. 2Q12\ ) and Example ET9l below. 

To begin, fix a global monomial ordering > on the semigroup of monomials 
in the variables X = {X\, . . . ,X n }. Consider the polynomial rings W = 
Q[X] and, given an integer N > 2, W N = (Z/NZ)[X\. If T C W or 
T C Wn is a set of polynomials, then denote by LM(T) := {LM(/) | / G T} 
its set of leading monomials. If / € W is a polynomial such that N is 
coprime to any denominator of a coefficient of /, then its reduction modulo 
N is the polynomial fa £ Wn obtained by mapping each coefficient x of 
/ to xn as described in the previous section. If H = {hi, . . . , h t } C W is 
a Grobner basis such that N is coprime to any denominator in any hi, set 
Hn = {(/ii)jv, . . . , (ht)^}- If J Q W is any ideal, its reduction modulo N is 
the ideal 

JN = (fa\f £Jnz[x])cw N . 

Notation: From now on, let I CW be a fixed ideal. 
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Remark 3.1. For practical purposes, I is given by a set of generators. Fix 
one such set f± , . . . , f r . Then the reduction of / modulo a prime p can be 
realized via the equality 

I p = ((fl) p ,...,(fr) p )CW p 

which holds for all but finitely many primes p. When performing the modu- 
lar Algorithm [5] described below, we reject a prime p if one of the (fi) p is not 
defined. Otherwise, we work with the ideal on the right hand side instead 
of I p . This does not cause problems: The finitely many bad primes where 
((/i)p> (fr) P ) differs from I p will not influence the result if we apply error 
tolerant rational reconstruction. 

In what follows, we suppose that we are given a construction which as- 
sociates to / a uniquely determined ideal U(0) C W, and to each reduction 
I p , with p a prime number, a uniquely determined ideal U{p) C W p , where 
we make the following assumption: 

Assumption: We ask that U(0) p = U{p) for all but finitely many p. 

We write G(0) for the uniquely determined reduced Grobner basis of U (0), 
and G(p) for that of U(p). In the applications we have in mind, we wish 
to construct the unknown ideal U(0) from a collection of its characteristic 
p counterparts U(p). Technically, given a finite set of primes V, we wish to 
construct G(0) by computing the G(p), p G V, and lifting the G{p) coef- 
ficientwise to characteristic zero. Here, to identify Grobner basis elements 
corresponding to each other, we require that LM(G(p)) = LM(G(q)) for all 

Definition 3.2. With notation as above, we define: 

(1) A prime number p is called lucky if the following hold: 

(a) U(0) p = U{p) and 

(b) LM(G(0)) = lM(G{p)). 
Otherwise p is called unlucky. 

(2) A finite set V of lucky primes is called sufficiently large if 

c a denominator or numerator 
of a coefficient occurring in G(0) 



> max { 2 • |c| 2 



Up 

per 

Remark 3.3. A modular algorithm for the fundamental task of computing 
Grobner bases is presented in [Arnold 2003] and [Idrees et al. 2011] . In 
contrast to our situation here, where we wish to find the ideal U(0) by 
computing its reduced Grobner basis G(0), Arnold's algorithm starts from an 
ideal which is already given. If p is a prime number, J C W is an ideal, H(0) 
is the reduced Grobner basis of J, and H (p) is the reduced Grobner basis of 
J p , then p is lucky for J in the sense of Arnold if LM(^T(0)) = LM(H(p)). 
It is shown in [Arnold 20031 Thm. 5.12 and 6.2] that if J is homogeneous 
and p is lucky for J in this sense, then H(0) p is well-defined and equal 
to H(p). Furthermore, by [Arnold 2003| Cor. 5.4 and Thm. 5.13], all but 
finitely many primes are Arnold-lucky for a homogeneous J. Using weighted 
homogenization as in the proof of [Idrees et al. 20fT| Thm. 2.4], one shows 
that these results also hold true in the non-homogeneous setup. 
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With respect to our notation of lucky, we have: 
Lemma 3.4. The set of unlucky primes is finite. 

Proof. By our general assumption, U(0) p = U(p) for all but finitely many 
primes p. Given a prime p such that U(0) p = U(p), we have LM(G(0)) = 
LM(G(j>)) if p does not divide any denominator of any coefficient of any 
polynomial occurring in Buchberger's Grobner basis test for G(0). The 
result follows. □ 

Lemma 3.5. If V is a sufficiently large set of lucky primes, then the reduced 
Grobner bases G(p), p G V, lift to the reduced Grobner basis G(0). 

Proof. If p is lucky, then p is Arnold-lucky for U(0). Hence, as remarked 
above, G(0) p = G(p). Since V is sufficiently large, the coefficients of the 
Chinese remainder lift G(N), N = Y\ pe -p, are in the image of the Farey 
map. Since this map is injective, the lift of G(N) to characteristic zero 
coincides with G(0). □ 

From a theoretical point of view, the idea of finding G(0) is now as follows: 
Consider a sufficiently large set V of lucky primes, compute the reduced 
Grobner bases G(p), p G V, and lift the results to G(0) as described above. 

From a practical point of view, we face the problem that the defining 
conditions of lucky and sufficiently large in Definition 13.21 cannot be tested 
a priori. With regard to condition (la), for instance, we compute G(p) 
and, thus, U(p) on our way, but U(0) p is only known to us after G(0) and, 
thus, U(0) have been found. As in Remark 13.11 this is not a problem: 
Finitely many bad primes leading to an ideal U(p) different from U(0) p will 
not influence our final result if we apply error tolerant rational reconstruc- 
tion. Condition (lb), on the other hand, is crucial since we use the leading 
monomials to identify Grobner basis elements corresponding to each other. 
We therefore proceed in the following randomized way. First, fix an inte- 
ger t > 1 and choose a set of t primes V at random. Second, compute 
QV = {G(p) | p G V}, and use the following test to modify V so that all 
primes in V satisfy condition (lb) with high probability: 

deleteUnluckyPrimes: Define an equivalence relation on V by setting 
p ~ q :<;=> LM(G(pY) = LM(G(g)). Then replace V by an equivalence class 
of largest cardinality^, and change QV accordingly. 

Only now, we lift the Grobner bases in QV to a set of polynomials G C W . 
Since we do not know whether all primes in the chosen equivalence class are 
indeed lucky and whether the class is sufficiently large, a final verification 
in characteristic zero is needed. As this may be expensive, especially if 
G ^ G(0), we first perform a test in positive characteristic: 

pTest: Randomly choose a prime number p £ V such that p does not divide 
the numerator and denominator of any coefficient occurring in a polynomial 
in G or {/i, . . . , f r }. Return true if G p = G(p), and false otherwise. 

If pTest returns false, then V is not sufficiently large, or not all primes 
in V are lucky (or the extra prime chosen in pTest is unlucky). In this 



When computing the cardinality, take Remark 13.61 below into account. 
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case, we enlarge the set V by t primes not used so far, and repeat the whole 
process. If pTest returns true, however, then most likely G = G(0). It 
makes, hence, sense to verify the result over the rationals. If the verification 
fails, we enlarge V and repeat the process. 
We summarize this approach in Algorithm [5j 



Algorithm 5 Reconstruction of an Ideal 

Input: An algorithm to compute G{p) from I p , for each prime p, and a way 

of verifying that a computed Grobner basis equals G(0). 
Output: The Grobner basis G(0). 

1: choose a list V of random primes 

2: QV = 

3: loop 

4: for p G V do 

5: compute G(p) C W p 

6: qv = qvu {G(p)} 

7: (V, QV) = deleteUnluckyPrimes(:P, QV) 

8: lift QV to G C W via Chinese remaindering and Algorithm [6] below 

9: if the lifting succeeds and pTest(7, G, V) then 
10: if G = G(0) then 
11: return G 

12: enlarge V with primes not used so far 



Remark 3.6. If Algorithm [5] requires more than one round of the loop, the 
cardinality count in deleteUnluckyP rimes has to be done with some 
care: count all previous elements of V as just one element. Otherwise, 
though highly unlikely in practical terms, it may happen that only unlucky 
primes are accumulated. 

Remark 3.7. Our lifting process works since reduced Grobner bases are 
uniquely determined. In practical terms, however, there is often no need 
to reduce the Grobner bases involved: it is only required that the construc- 
tion associating the Grobner bases to / and its reductions yields uniquely 
determined results. 

Remark 3.8. We may allow that the computation of G(p) is not feasible for 
finitely many primes p. In this case, the respective primes will be rejected. 

Example 3.9. If K is any field, and I C is a prime ideal, the nor- 

malization A of the domain A = K[X]/I is the integral closure of A in its 
field of fractions Q(A). If K is perfect, the normalization algorithm given 
in [Greuel et al. 20l0] will find a "valid denominator" d G A and an ideal 
U C A such that = A C Q(A). In fact, U is uniquely determined if we 
fix d. In practical terms, d and U are a polynomial and an ideal in -KT[A], 
respectively. If K = Q and p is a prime number, it may happen that I p is not 
a prime ideal, that d p is not defined, or that d p is not a valid denominator. 
See (Bohm et al. 20 lT] for the modular normalization algorithm. 
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4. RECONSTRUCTION WITH BAD PRIMES 

In order to show that a reconstruction scheme as in Algorithm [5] can be 
used even in the presence of bad primes, we turn rational reconstruction 
into a lattice problem. 

To begin with, given an integer N > 2, we define the subset Cm Q Z/AZ 
of elements applied to which Algorithm[6]below will return a rational number 
(and not false). Let Cm be the set of all r G Z/AZ such that there are 
integers u, v G Z with u > 0, v ^ 0, and gcd(u, v) = 1 which satisfy the 
following condition: 

there is an integer q > 1 with q\N and such that 
u 2 + v 2 < and u = vr mod — . 

q- 1 q 

In Lemma 14.21 below, we will prove that the rational number ^ = ™ 
is uniquely determined by Condition (pQ). Hence, we have a well-defined 
map 

i/j n : C N -+ Q. 

Note that the image of the Farey map <pb,Nj with B = sj (N — l)/2 , is 
contained in Cat: If r & im((pB,N)j then jv(^) sa tisfi es Condition ([T]) with 
5 = 1. Furthermore, jv(^) = ^n(r). 

Typically, the inclusion im^^jv) C Cat is strict: 

Example 4.1. For N = 2 ■ 13, we have B = 3, hence 

im(v3 BiA r) = {0,1,2,3,8,9, T7, 18, 23, 24, 25} , 

and the rational numbers which can be reconstructed by Algorithm [2] are 
the elements of 

F B n Qn = jo, ±1, ±2, ±3, ±| 
On the other hand, 

Cat = {r | < r < 25, r / 5,21} , 
and Algorithm will reconstruct the rational numbers in 

tMCW) = jo,±l,±2,±3,±4,±i,±|,±|,±| 

Note that the denominator of I = i^n{^) = ^n{20) is not coprime to N . In 
both cases, q = 2: We have 1 = 2-7 mod 13 and 1 = 2 • 20 mod 13. 

Now, fix < r < JV - 1 such that r G CV, and consider the lattice 
A = Ajv, r := ((A, 0), (r, 1)) of discriminant N. Let u, u, g correspond to r as 
in Condition ([T]). Then (uq,vq) G A^r- Hence, the first minimum mi (A) of 
A satisfies mi (A) < q 2 (u 2 + v 2 ). 

Lemma 4.2. With notation as above, all (x,y) G A with x 2 + y 2 < N are 
collinear. That is, they define the same rational number x/y. 

Proof. Let A = (x,y), /j, = (c, d) G A be vectors with x 2 + y 2 , c 2 + d 2 < N. 
Then y/x — dX = (yc — xd, 0) G A, so N\(yc — xd). Since |yc — xd\ < N by 
Cauchy-Schwarz, we get yc = xd, as claimed. □ 
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Next, consider integers N',M > 2, with gcd(Af, N') = 1, and such that 
N = N'M. Let a > 0,b ^ be integers such that gcd(6,iV') = 1, and let 
a = bs mod N', with < s < N' — 1. Let < i < Af — lbe another integer, 
and let < r < N — 1 be the Chinese remainder lift satisfying r = s mod N' 
and r = t mod Af. In practical applications, we think of N' and M as 
the product of good and bad primes, respectively. By the following lemma, 
Algorithm [6] below applied to N and r will return a/b independently of the 
possibly "wrong result" t, provided that M -C N' . 

Lemma 4.3. With notation as above, suppose that (a 2 + b 2 )M < N' . Then, 
for all (x, y) G A = ((N, 0), (r, 1)) with (x 2 + y 2 ) < N, we have x/y = a/b. 
Furthermore, if gcd(a, b) = 1 and (x,y) is a shortest nonzero vector in A, 
we also have gcd(x, y)\M . 

Proof. From a = bs mod N', we get a — bs = k\N' for some k%. Moreover, 
s = r mod N' gives r = s+k 2 N'. Now (aM,bM)-bM(r, 1) = (aM-brM,0) 
and aM - brM = M(a - br) = M(a - b(s + k 2 N')) = M(a - bs) - k 2 bN = 
kiN - k 2 bN, thus (aM, bM) G A. Since (a 2 + b 2 )M < N' , Lemma [Ogives 
a/b = aM/bM = x/y for all (x, y) G A such that (x 2 + y 2 ) < N. 

For the second statement, write A := (aM,bM) and X := (x,y). By 
Lemma EL~2l there is a A = ^ G Q, with gcd(s, t) = 1, and such that XX = A. 
The Euclidean Algorithm gives integers e, / with er + sf = 1, hence 

— = ( er + sf)— = eX + f A G A. 

Since A is a shortest vector in the lattice, it follows that r = ±1, hence 
A = ±sX. Since gcd(a, b) = 1, we conclude that gcd(x,y)|Af. □ 

The use of this lemma is twofold. First, it allows us to ignore bad primes 
in the design of modular algorithms - as long as there are not too many 
bad primes. Second, factorizing the gcd of the components of a shortest 
lattice element can help us to identify bad primes. From a theoretical point 
of view, this makes the design of modular algorithms much simpler. From 
a practical point of view, we avoid expensive computation of invariants to 
eliminate bad primes. 

Lemma 14.31 yields the correctness of both the new lifting Algorithm [6] 
and the resulting reconstruction Algorithm [3l calling black box Algorithm 
H] instead of[TJ In applications, the termination can be based either on the 
knowledge of a priori bounds on the height of x/y or on an a posteriori 
verification of the result. It should be mentioned that both methods are 
used: some problems allow for easy verification, while others yield good 
bounds. 

Remark 4.4. Algorithm^ which is just a special case of Gaussian reduction, 
will always find a shortest vector in the lattice generated by (iV, 0) and (r, 1). 
Moreover, bi ^ for all z > since in every step the vector (ai,bi) gets 
shorter and, hence, cannot be equal to (A, 0). 

Even though Algorithm [U] looks more complicated than Algorithm [51 by 
[Nguyen el al. 2009 [ Section 3.3] the bit-complexity of both algorithms is 
the same: 0(log N). 
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Algorithm 6 Error Tolerant Lifting 



Input: Integers N > 2 and < r < N — 1. 
Output: ipN(r) if r G Cn and false otherwise. 



6 
7 
8 
9 
10 



(oo,6o) := (N,Q), {a x M) 
repeat 

i = i + l 

set 



(r,l), 



z := 



-1 



6?,, 2 



a f+i 



J i+1 



set 



(<H+2, h+2) = (ai, h) - qi(ai+i, h+i) 



until a 2 i+2 + bf +2 > aj +1 + 6? +1 
if a? +1 + < AT then 

return a i+1 /b i+1 
else 

return false 



Example 4.5. We reconstruct the rational number j| using the modulus 

N = 38885 = 5 • 7- 11 • 101. 
With notation as above, a = 13, b = 12, r = 22684, and the Farey bound is 

B = J(N - l)/2 - 139. 



y/(N-l)/2 

Algorithm [5] applied to these data will correctly return ||. Similarly for 
Algorithm [U] which generates the sequence 

(38885. 0) = 2 • (22684, 1) + (-6483, -2), 

(22684. 1) = -3 • (-6483, -2) + (3235, -5), 
(-6483, -2) = 2 • (3235, -5) + (-13, -12), 

(3235, -5) = -134 • (-13, -12) + (1493, -1613). 

Now, bad primes will enter the picture. Consider the Chinese remainder 
isomorphism 

Lp : Z/5Z x Z/TL x Z/11Z x Z/101Z -> Z/38885Z. 
The preimage of r = N is 

cp-^r) = (4,4,2,60). 
That is, r is the solution to the simultaneous congruences 

x = 4 mod 5 
x = 4 mod 7 
x = 2 mod 11 
x = 60 mod 101. 

If we make 101 a bad prime by changing the congruence x = 60 mod 101 to 
x = 61 mod 101, we obtain 



99(4,4,2,61) = 16524. 
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Algorithm [6] then computes 

(38885. 0) = 2 ■ (16524, 1) + (5837, -2), 

(16524. 1) = 3 • (5837, -2) + (-987, 7), 
(5837, -2) = 6 • (-987, 7) + (-85, 40), 

(-987, 7) = 10 • (-85, 40) + (-137, 393). 

Hence the output = if ^ if ^ s no ^ ^ ne desired lift. The reason for this 
is that 101 is not small enough compared to its cofactor in N. Algorithm 
[21 on the other hand, returns false since the reduction process will also 
terminate with (85, —40) and these numbers are not coprime. Note that in 
a setup as in Section [3l the wrong result does not cause problems since it will 
be detected by pTest. As a consequence, the set of primes in Algorithm [5] 
will be enlarged (without discarding previous results). Eventually, the good 
primes will outweigh the bad ones and Algorithm [6] will return the correct 
lift. It will even tell us which of the primes under consideration are bad 
primes. For example, replace the congruence x = 4 mod 7 by x = 2 mod 7, 
so that 

y?(4,2,2,60) = 464. 

Then Algorithm [6] yields 

(38885, 0) = 84 • (464, 1) + (-91, -84), 
(464, 1) = -3 • (-91, -84) + (191, -251), 

and terminates with the correct lift 

91 _ 13 
84 ~ 12' 

Algorithm [51 on the other hand, will again return false since the reduction 
also terminates with (91,84). 
Since 

(13 2 + 12 2 ) • 7 < 5 • 11 • 101, 

Lemma 14.31 shows that 7 is small enough compared to its cofactor in N. 
Hence, the wrong result 2 modulo the bad prime 7 does not influence the 
result of the lift. In fact, all other possible congruences modulo 7 will lead 
to the same output. Note that gcd(91, 85, N) = 7 is the bad prime. Further- 
more, note that in the example the lifting process involving the bad prime 
requires fewer steps than the process relying on good primes only. 
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